A new variant of the ClickFix malware, dubbed 'CrashFix,' is on the rise. It is a highly sophisticated social engineering attack designed to trick users into voluntarily executing malicious code under a seemingly reasonable pretext. ClickFix additionally continues to propagate, effectively scamming unsuspecting users out of finances and personal information. 

The goal of ClickFix is to establish remote access and subsequently exfiltrate critical files, personal data, and/or financial assets. Threat Actors using this TTP achieve this through three high-pressure steps:

1. Pretext: While using your computer, you receive an unsuspected error. This error often takes the form of a failed security check, such as those presented by websites protected by major services providers. Because the error seems embedded into the page, and exists as part of a security process, you as the user aren’t concerned it’s fake. 

2. Pivot: After failing the authentication check, a dialogue box containing a terminal command requests you perform a local check by running the command into your terminal. It provides easy to follow steps and the assurance that this is normal and expected whenever in-browser safety checks fail.

3. Command and Control: The terminal command establishes remote access, and enables the threat actor to access your computer without your knowledge.  

As in ClickFix, this attack abuses trusted behaviors to coerce user action.

1. Pretext: The attack typically begins with a fake browser extension, often masquerading as a popular ad-blocker (such as "uBlock Origin Lite" or "NexShield"). Once installed, the extension intentionally waits about an hour before it starts to overload your browser, causing it to freeze or crash repeatedly.

2. Pivot: When you attempt to restart your browser, the malware displays a very convincing - but fake - error message. It claims the browser has stopped abnormally and provides a set of instructions to "repair" the issue. These instructions ask you to copy a fix to your clipboard and paste it into your computer's "Run" box.

3. Command and Control: If you follow these instructions, you are not actually fixing your browser. Instead, you are manually running a command that installs a Remote Access Trojan (RAT). In many reports, security researchers are finding that the common RAT used by threat actors in this scenario is called ModeloRAT. This allows hackers to steal your personal information and login credentials, access your device remotely at any time, and monitor your activity and potentially install further malware, such as ransomware.

1. Do Not Paste Commands: Never copy and paste commands from a website into your computer's terminal or "Run" box. Legitimate services will never ask you to troubleshoot your computer this way.

2. Verify Extensions: Only install browser extensions from trusted sources and verify they are the official versions. Be wary of new or "Lite" versions of popular tools that you don't recognize.

3. Report Unusual Behavior: If your browser begins to crash frequently or displays "repair" instructions similar to those described above, disconnect from the internet immediately and contact the IT team.

4. Use Multifactor Authentication (MFA): Ensure MFA is enabled on all sensitive accounts. This provides a critical second layer of defense even if a hacker manages to steal your password.

Tax Season Scams

Filing your taxes is stressful enough without worrying about cybercriminals trying to steal your identity or your refund. BlackCloak’s newest resource helps you spot the red flags and learn how to reduce your risk. Explore the Guide

IoT and Smart Devices Assessment & Remediation Report

In our easy-to-use online tool, select the devices you own to understand whether it tracks your location, listens to your conversations, or uses your personal data. We also provide recommendations to tighten the security settings of these devices to protect your privacy in a complimentary downloadable report. Take the Assessment

How to Be Cyber Smart on Social Media

Hardening your social media accounts and knowing the best practices to stay secure while using any platform is a critical component to safeguarding your privacy. In this episode you'll discover practical steps content creators and the average social media user can take to protect their digital life. Listen Now

Discord has postponed a controversial plan to require facial scans or government IDs for age verification following a massive data breach which has led to public outcry. The security breach happened when a partner firm leaked 70,000 user IDs, highlighting the significant risks of centralizing sensitive biometric data on social platforms. Read more

A security researcher discovered that 287 Google Chrome extensions - affecting over 37 million users - were secretly exfiltrating private browsing histories to third-party data brokers. These extensions often appeared as harmless tools but requested excessive permissions to harvest sensitive user information for corporate profiling. Read more

Major tax preparation companies were found to be transmitting sensitive taxpayer data (including income and filing status) to Meta and Google via embedded tracking pixels. This massive privacy violation occurred without explicit user consent, allowing tech giants to build highly invasive financial profiles of individuals for advertising purposes. Read more